19ffc101f7c4457a5adb66b38ce5823d52f596b323578de48d3585b1b57d24c6

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9966ddcefba77b1337606836fd7507a61fc0f6488163d75c6c426d9c488139d8.exe
Size

4.2MB
MD5

35610a0893af03997f22475ddfefd41d
SHA1

42fd96d5d157dc27f6a181cad9e014a26ec43a29
SHA256

9966ddcefba77b1337606836fd7507a61fc0f6488163d75c6c426d9c488139d8
SHA512

478ccec867ecbc1f78fc0b4b436cf9edda43f14542c17ae028b9f9bfba66ef32d0d91d7a8f17cc3af8f0fb5f60bbe49575d1f0b65bbbfe2036b77377d9ff107a
SSDEEP

98304:Zlck2pgTvADDboPjS9eS+JlkmKlRVlwIVP5mexNHw+1b0D3AP:Zl12p2AD/oPjS9efkmKlRVlwIDmevHws

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

Processes:

2jO2720.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	2jO2720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	2jO2720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	2jO2720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	2jO2720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	2jO2720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	2jO2720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	2jO2720.exe

Drops startup file 1 IoCs

Processes:

2jO2720.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk 2jO2720.exe
Executes dropped EXE 5 IoCs

Processes:

Bw9gV17.exeOW0HN88.exelM5ar59.exe1DJ58Bv1.exe2jO2720.exe

pid process

2816 Bw9gV17.exe
1544 OW0HN88.exe
1944 lM5ar59.exe
1020 1DJ58Bv1.exe
4388 2jO2720.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	2jO2720.exe

pid	process
2816	Bw9gV17.exe
1544	OW0HN88.exe
1944	lM5ar59.exe
1020	1DJ58Bv1.exe
4388	2jO2720.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2jO2720.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	2jO2720.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	2jO2720.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9966ddcefba77b1337606836fd7507a61fc0f6488163d75c6c426d9c488139d8.exeBw9gV17.exeOW0HN88.exelM5ar59.exe2jO2720.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	9966ddcefba77b1337606836fd7507a61fc0f6488163d75c6c426d9c488139d8.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Bw9gV17.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	OW0HN88.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	lM5ar59.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	2jO2720.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1DJ58Bv1.exe	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4720 schtasks.exe
3724 schtasks.exe

pid	process
4720	schtasks.exe
3724	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exemsedge.exepowershell.exeidentity_helper.exemsedge.exe

pid	process
1708	msedge.exe
1708	msedge.exe
3660	msedge.exe
3660	msedge.exe
1796	powershell.exe
1796	powershell.exe
1796	powershell.exe
2356	identity_helper.exe
2356	identity_helper.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3660 msedge.exe
3660 msedge.exe
3660 msedge.exe
3660 msedge.exe
3660 msedge.exe
3660 msedge.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2jO2720.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4388 2jO2720.exe
Token: SeDebugPrivilege 1796 powershell.exe

pid	process
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

description	pid	process
Token: SeDebugPrivilege	4388	2jO2720.exe
Token: SeDebugPrivilege	1796	powershell.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

1DJ58Bv1.exemsedge.exe

pid	process
1020	1DJ58Bv1.exe
1020	1DJ58Bv1.exe
1020	1DJ58Bv1.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

1DJ58Bv1.exemsedge.exe

pid	process
1020	1DJ58Bv1.exe
1020	1DJ58Bv1.exe
1020	1DJ58Bv1.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

9966ddcefba77b1337606836fd7507a61fc0f6488163d75c6c426d9c488139d8.exeBw9gV17.exeOW0HN88.exelM5ar59.exe1DJ58Bv1.exemsedge.exe

description	pid	process	target process
PID 3700 wrote to memory of 2816	3700	9966ddcefba77b1337606836fd7507a61fc0f6488163d75c6c426d9c488139d8.exe	Bw9gV17.exe
PID 3700 wrote to memory of 2816	3700	9966ddcefba77b1337606836fd7507a61fc0f6488163d75c6c426d9c488139d8.exe	Bw9gV17.exe
PID 3700 wrote to memory of 2816	3700	9966ddcefba77b1337606836fd7507a61fc0f6488163d75c6c426d9c488139d8.exe	Bw9gV17.exe
PID 2816 wrote to memory of 1544	2816	Bw9gV17.exe	OW0HN88.exe
PID 2816 wrote to memory of 1544	2816	Bw9gV17.exe	OW0HN88.exe
PID 2816 wrote to memory of 1544	2816	Bw9gV17.exe	OW0HN88.exe
PID 1544 wrote to memory of 1944	1544	OW0HN88.exe	lM5ar59.exe
PID 1544 wrote to memory of 1944	1544	OW0HN88.exe	lM5ar59.exe
PID 1544 wrote to memory of 1944	1544	OW0HN88.exe	lM5ar59.exe
PID 1944 wrote to memory of 1020	1944	lM5ar59.exe	1DJ58Bv1.exe
PID 1944 wrote to memory of 1020	1944	lM5ar59.exe	1DJ58Bv1.exe
PID 1944 wrote to memory of 1020	1944	lM5ar59.exe	1DJ58Bv1.exe
PID 1020 wrote to memory of 3660	1020	1DJ58Bv1.exe	msedge.exe
PID 1020 wrote to memory of 3660	1020	1DJ58Bv1.exe	msedge.exe
PID 3660 wrote to memory of 4940	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 4940	3660	msedge.exe	msedge.exe
PID 1944 wrote to memory of 4388	1944	lM5ar59.exe	2jO2720.exe
PID 1944 wrote to memory of 4388	1944	lM5ar59.exe	2jO2720.exe
PID 1944 wrote to memory of 4388	1944	lM5ar59.exe	2jO2720.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1556	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1708	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 1708	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 5096	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 5096	3660	msedge.exe	msedge.exe
PID 3660 wrote to memory of 5096	3660	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\9966ddcefba77b1337606836fd7507a61fc0f6488163d75c6c426d9c488139d8.exe
"C:\Users\Admin\AppData\Local\Temp\9966ddcefba77b1337606836fd7507a61fc0f6488163d75c6c426d9c488139d8.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3700

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bw9gV17.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bw9gV17.exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2816

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OW0HN88.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OW0HN88.exe
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1544

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lM5ar59.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lM5ar59.exe
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1DJ58Bv1.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1DJ58Bv1.exe
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
6⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffb581546f8,0x7ffb58154708,0x7ffb58154718
7⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,5272518022141047939,18063624819138164488,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
7⤵
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,5272518022141047939,18063624819138164488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,5272518022141047939,18063624819138164488,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
7⤵
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5272518022141047939,18063624819138164488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
7⤵
PID:3816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5272518022141047939,18063624819138164488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
7⤵
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,5272518022141047939,18063624819138164488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
7⤵
PID:416

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,5272518022141047939,18063624819138164488,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5272518022141047939,18063624819138164488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
7⤵
PID:3192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5272518022141047939,18063624819138164488,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
7⤵
PID:1248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5272518022141047939,18063624819138164488,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
7⤵
PID:2636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5272518022141047939,18063624819138164488,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
7⤵
PID:880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,5272518022141047939,18063624819138164488,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2768 /prefetch:2
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:2716

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2jO2720.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2jO2720.exe
5⤵
- Modifies Windows Defender Real-time Protection settings
- Drops startup file
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:4388

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell" Get-MpPreference -verbose
6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
6⤵
PID:2452

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:4720

C:\Windows\SysWOW64\cmd.exe
"cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
6⤵
PID:4776

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
7⤵
- Creates scheduled task(s)
PID:3724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4968

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
88183486406641a45a16bba7832b90e6

SHA1
ee3d9a33b4889e2a35caa4114b21bf8bbf555789

SHA256
510f11d6326328b933c07ac76eff375292db027e310ba272f29151f1edb03e69

SHA512
198fe40ade7e11170cd0d787bd15372edd3716ef35e7fdf27588551dbb2aa7a606c72c8dfc07c6df95cd7dcc274e27e6a39784ccc6eb49419eb9416be8fac0d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
24202313d52f6fc53b3982b1daaf3b1f

SHA1
fbbe06b9fc617274a73145e873eed7c6f02c190f

SHA256
f610a074dfccb906c0518c9c0353ef4da397eec389c983111c4c8aedc504aa09

SHA512
03e96ff4e48e4808a671b4452bb1d5415733870720937506840ebaae8afd4368186c421da1b5945f22312e72b807c37a91f657aef9364160ec4dc2fc9a9a6185

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
25008fd50598c94d189680f392d55da1

SHA1
ef703cf5dbc33bad409d25c6a3b13a972e35f003

SHA256
f70188090c02be07f8c8f35565d46491743788ee30ea0a1458821ec884bb67d7

SHA512
8cf9c991a2be6fc1276e21b25b401f0077c78418ba868605f65c812da04a637ad0df187161ae2b2698d812f206ba8c1047ff35c2b22ae04a58e7782295fae539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d7b62971b6370e50c8418da9fdef2687

SHA1
d266f7c2a141b89f671360902ca371d02c7b3050

SHA256
9cfdbde2bb8abe1c1236f2d9ba65ce7bf6b4063802db2056a38b2c1ca05777de

SHA512
63de14f05412f067b151345916a80d09ba4b7c3986825da7cbb525c0f494d4d2c873a2d53ae1b2650c6bff1909307291f73ed640cd9d8a74d0ca6aeb3ab75664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3fcb03d0069cf419ff9c322806cfff72

SHA1
9f069b6d2594ef44c0faa8ba1cd60820d419e7bf

SHA256
422c2610e5025c9722b598963ad06761f76f46082d5f1341fe95c8df0a7586e3

SHA512
d59b47c5198b8fe58804a033a5612d8fc864cb539fec44a5563b0807d332e759bc3dc0bdfc3799fba86dbafc1446b2641eec086c7a0e602e535417b3bb94ef82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
203B

MD5
3cf12099075377a89a57355437f46ce8

SHA1
933a3d4b390ab44993693caee7f6240b0b7307ea

SHA256
c86c00fd9a7d5d6003630012e583723b73c5beef83657fcab2768f730728484d

SHA512
7ca8a080ea86d3dbac26dc2bf9def3a0e1c8d81733a07b2038f0c32836e7687f0f6765add6ef0c3162777066a2dacbdd06cdd09fd53fb8e0a11cfed852f40d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
203B

MD5
1dbfdfe34071acb66bfdb4cf06c64502

SHA1
c9b40f7fc28145cfce9248fe1553ca4eb056437f

SHA256
c8952e1cadc502a8ffda4b2df22286d0dee2c53f0f3d8a71c4f03f1efcddffd4

SHA512
4ee74d01ffd5455d4b6808d757c7ae6ad8624410fc1c9e805e9e09c7b329fe88d0e07210cba949361be2de938443cea8025102716efd4c17a9acbf9d89a98456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587f6c.TMP
Filesize
201B

MD5
e0a6b2193329dab5eece6d5d65946640

SHA1
d60374158b132103b0fe54be06dac74cac960eba

SHA256
4a208f1b1c0298e6babad5c3f65e7e0fec565d7de77cbc973f23ebae6b603bf8

SHA512
1b9b8cd2041188b55e675fc61afee1c82150136b04d865002e5195b1fbd0959c5a4075fabc21585b25f6ab3e090c0b9d36a7f169f1eaaec44184d09ab3d64d2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
fc2a9399f9d8f61c5f4c3347fdc5008e

SHA1
a441284547afd52154d49bc6e39205dc2429192f

SHA256
0f0a28b92529e83f47fe78714da177122b4a7a1cf8d8e25ab224a4609c2dadeb

SHA512
d9bc23321fd95abe108f5edcc9133cd9302aba73dcaf610f8f45ba926e79a6eab555a52db0273054b34680274be29ba1c1a1bc8b72de1aa78b6cf6fbc1db69f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Bw9gV17.exe
Filesize
2.7MB

MD5
3b1d4094eba6269fded822e2b1f4ce5f

SHA1
2b69a102b93ed974060ddb6ed3b35bbfbb159c98

SHA256
fca42107cc23cde057f16109805fc99477b2d71777f99ddf45db68d3988c741a

SHA512
d4911a8266aef29a3f31d4250cd3c07cdbd4753326455dc93c5488463fedd40726ff0ef7891da49bc5b64cd00af44ff4e54716ae8883aa3fc7bc73876ac31845

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\OW0HN88.exe
Filesize
2.2MB

MD5
5e032802ec5e14423c721c2787fb4f26

SHA1
5052d23304bdea8c2d968f2fa39d2096473b4620

SHA256
5cc16e573233c6e46c7bb27bcd1aac4b85036bccbd5fcd48fb6fabc55cf39dcc

SHA512
11849f6d25dbe31f2f60f81d6342aea53ca3e5aee8297ae80bc9539c70942ce8cc5f3346d4bfc60ffcbe9478a5d2e6ddc6a6d2a4b277dc7389cc183729bd7a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\lM5ar59.exe
Filesize
820KB

MD5
e28edee44618efdd55982a5b8b575946

SHA1
bc5a20898c4e061220ed17b814b19ad09c245368

SHA256
96470dd9cf775d76200554bf8f4eab0b691e1141f1cf5f5baf37c7b3ac7e3059

SHA512
f9ac36193a13b9a210495ed8c175a90b51678cd431ff4abf5df3cd02b8b1dc89586843dd1bba0ac205bd1e90f58c9f5929a654538fe9201f81bee676dc52bca1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\1DJ58Bv1.exe
Filesize
894KB

MD5
cf13905e4c5a440d209987d3c48613b2

SHA1
76b097ce4f47dc014ba43398b81a7b9b56c92f70

SHA256
5934bea60ae54a524e5e6c3b08116077cd3ddfe567ad5db9ce81f3d56d378d12

SHA512
d45b159ba68447d9921ffaf2fa80680050100ef948e2859941e994ff0327db274601f9f76a8539d01301aa3bb2bb010eb87b89dccf704c0cfe9a06d97aecc070

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\2jO2720.exe
Filesize
856KB

MD5
df08d5b083c446548784280232389247

SHA1
0e171d174f2e06beb5f12575f695d05119afd8b6

SHA256
95eb28cecc09ef4b82adb4de34611e9901047e6ffbf094c8e9b4eba48f57f64d

SHA512
243f8f8a2951c00e8256c087366be38875a73870ac1eb4f91a7ab140bf6818839f4d1760ce088dc05334f089c6cc7803f8fe959fb5ca34fdb8626289e0d1d2a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h2fi3v11.5b1.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
\??\pipe\LOCAL\crashpad_3660_BKPNXOUMCGWJEXAF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1796-94-0x0000000007400000-0x0000000007432000-memory.dmp

Filesize
200KB

Download
memory/1796-113-0x00000000077A0000-0x00000000077B4000-memory.dmp

Filesize
80KB

Download
memory/1796-78-0x0000000006270000-0x00000000062BC000-memory.dmp

Filesize
304KB

Download
memory/1796-105-0x0000000006810000-0x000000000682E000-memory.dmp

Filesize
120KB

Download
memory/1796-106-0x0000000007440000-0x00000000074E3000-memory.dmp

Filesize
652KB

Download
memory/1796-107-0x0000000007BA0000-0x000000000821A000-memory.dmp

Filesize
6.5MB

Download
memory/1796-108-0x0000000007560000-0x000000000757A000-memory.dmp

Filesize
104KB

Download
memory/1796-109-0x00000000075D0000-0x00000000075DA000-memory.dmp

Filesize
40KB

Download
memory/1796-110-0x00000000077E0000-0x0000000007876000-memory.dmp

Filesize
600KB

Download
memory/1796-111-0x0000000007760000-0x0000000007771000-memory.dmp

Filesize
68KB

Download
memory/1796-112-0x0000000007790000-0x000000000779E000-memory.dmp

Filesize
56KB

Download
memory/1796-95-0x0000000070600000-0x000000007064C000-memory.dmp

Filesize
304KB

Download
memory/1796-114-0x00000000078A0000-0x00000000078BA000-memory.dmp

Filesize
104KB

Download
memory/1796-115-0x0000000007880000-0x0000000007888000-memory.dmp

Filesize
32KB

Download
memory/1796-77-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/1796-69-0x0000000005C20000-0x0000000005F74000-memory.dmp

Filesize
3.3MB

Download
memory/1796-58-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Filesize
408KB

Download
memory/1796-59-0x0000000005BB0000-0x0000000005C16000-memory.dmp

Filesize
408KB

Download
memory/1796-57-0x0000000005370000-0x0000000005392000-memory.dmp

Filesize
136KB

Download
memory/1796-56-0x0000000005510000-0x0000000005B38000-memory.dmp

Filesize
6.2MB

Download
memory/1796-55-0x00000000010A0000-0x00000000010D6000-memory.dmp

Filesize
216KB

Download
memory/4388-40-0x00000000079E0000-0x0000000007A56000-memory.dmp

Filesize
472KB

Download
memory/4388-37-0x0000000000BF0000-0x0000000000CCC000-memory.dmp

Filesize
880KB

Download